b'            Semiannual\n\n            Report to Congress\n\n            April 1, 2013 to\n\n            September 30, 2013\n\n\n\n\nOffice Of\ninspectOr General\n\n\n\n\n            U.S. SeCURITIeS And\n\n\n            exChAnGe CommISSIon\n\x0c\x0c                         Office Of inspectOr General\n\nSemiannual RepoRt to CongReSS\n                  april 1, 2013\xe2\x80\x93september 30, 2013\n\n\n\n\n T\n          he mission of the Office of Inspector General (OIG) is to prevent and detect fraud,\n          waste, and abuse and to promote the integrity, economy, efficiency, and effective\xc2\xad\n          ness in the critical programs and operations of the United States (U.S.) Securities\n and Exchange Commission (SEC or agency). This mission is best achieved by having an\n effective, vigorous, and independent office of seasoned and talented professionals. Those\n individuals carry out the OIG\xe2\x80\x99s mission by performing these functions:\n\n \xe2\x80\xa2\t   conducting\tindependent\tand\tobjective\taudits,\tevaluations,\tinspections,\tinvestigations,\t\n      and other reviews of SEC programs and operations;\n \xe2\x80\xa2\t   preventing\tand\tdetecting\tfraud,\twaste,\tabuse,\tand\tmismanagement\tin\tSEC\tprograms\t\n      and operations;\n \xe2\x80\xa2\t   identifying\tvulnerabilities\tin\tSEC\tsystems\tand\toperations\tand\trecommending\t\n      constructive solutions;\n \xe2\x80\xa2\t   offering\texpert\tassistance\tto\timprove\tSEC\tprograms\tand\toperations;\n \xe2\x80\xa2\t   communicating\ttimely\tand\tuseful\tinformation\tthat\tfacilitates\tmanagement\t\n      decisionmaking and the achievement of measurable gains; and\n \xe2\x80\xa2\t   keeping\tthe\tCommission\tand\tCongress\tfully\tand\tcurrently\tinformed\tof\tsignificant\t\n      issues and developments.\n\n\n\n\n                                                 APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013             |   i\n\x0c\x0c                                     ContentS\n\n\nmessaGe frOm the inspectOr General . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\nmanaGement and administratiOn . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\nAgency Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\nOIG Staffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\nOIG Outreach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\n\ncOnGressiOnal requests and briefinGs . . . . . . . . . . . . . . . . . . . . . . . . 5\n\n\nthe inspectOr General\xe2\x80\x99s statement On the sec\xe2\x80\x99s\nmanaGement and perfOrmance challenGes . . . . . . . . . . . . . . . . . . . . 6\nInformation Security . . . . .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   6\nProcurement and Contracting      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   7\nFinancial Management . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   7\nHuman Capital Management .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   8\n\n\ncOOrdinatiOn with Other Offices Of inspectOr General . . . . . . . . . . . . 9\n\n\naudits and evaluatiOns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\nOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n\n\nAudits and Evaluations Conducted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n   Implementation of the Current Guidance on Economic Analysis in\n        SEC Rulemakings (Report No. 516) . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n    Use of the Current Guidance on Economic Analysis in SEC Rulemakings\n        (Report No. 518) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n\nPending Audits and Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n    Review of the SEC\xe2\x80\x99s 2013 Federal Information Security\n        Management Act (FISMA) Requirements . . . . . . . . . . . . . . . . . . . . . . . . 13\n    Audit of Government Purchase Card and Convenience Check\n       Operations and Practices at the SEC . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n\n\n\n\n                                                                         APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013                                                                  |   iii\n\x0c             Assessment of the SEC\xe2\x80\x99s Physical Security Program . . . . . . . . . . . . . . . . . . . . . 14\n\n             Assessment of the Sanitization of the SEC\xe2\x80\x99s Information System Media . . . . . . . . . . 14\n\n             Assessment of the SEC\xe2\x80\x99s Hiring and Promotion Practices for Senior Level Staff . . . . . . 14\n\n\n         investiGatiOns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\n         Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   . . . . 15\n\n         Investigations Conducted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   . . . . 15\n\n             Investigation of Contract and Ethics Violations (Report No. OIG-576) . . . . . .         . . . . 15\n\n             Alleged Prohibited Personnel Practices and Improper Telework Arrangements\n\n                  (Case No. OIG-583) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .      .   .   .   . 16\n\n             Allegations of Prohibited Personnel Practices (Report No. OIG-586) . . . . . . .         .   .   .   . 16\n\n             Allegations of False Statements (Report No. OIG-587) . . . . . . . . . . . . . .         .   .   .   . 16\n\n             Allegations of Privacy Act Violations (Report No. OIG-588) . . . . . . . . . . .         .   .   .   . 16\n\n             Alleged Leak of Information Contained in an OIG Report (Case No. OIG-590) .              .   .   .   . 17\n\n             Violations of SEC Ethics Rules (Report No. OIG-594) . . . . . . . . . . . . . .          .   .   .   . 17\n\n\n\n         review Of leGislatiOn and reGulatiOns. . . . . . . . . . . . . . . . . . . . . . . . 18\n\n\n\n         manaGement decisiOns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n\n         Status of Recommendations with No Management Decisions . . . . . . . . . . . . .         .   .   .   .   . 18\n\n         Revised Management Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . .     .   .   .   .   . 18\n\n         Agreement with Significant Management Decisions . . . . . . . . . . . . . . . . . .      .   .   .   .   . 18\n\n         Instances Where the Agency Refused or Failed to Provide Information to the OIG . .       .   .   .   .   . 18\n\n\n\n         tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n\n         Table 1 List of Reports: Audits and Evaluations. . . . . . . . . . . . . . . . . . . . . . . . . 19\n\n         Table 2 Reports Issued with Costs Questioned or Funds Put to\n\n                      Better Use (Including Disallowed Costs) . . . . . . . . . . . . . . . . . . . . . . 19\n\n         Table 3 Reports with Recommendations on Which Corrective Action\n\n                    Has Not Been Completed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20\n\n         Table 4 Summary of Investigative Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23\n\n         Table 5 Summary of Complaint Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23\n\n         Table 6 References to Reporting Requirements of the\n\n                     Inspector General Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24\n\n\n\n\n\niv   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cappendix a. peer reviews Of OiG OperatiOns . . . . . . . . . . . . . . . . . . . . . 25\nPeer Review of the SEC OIG\xe2\x80\x99s Audit Operations . . . . . . . . . . . . . . . . .                                        .   .   .   .   .   .   . 25\nPeer Review of the SEC OIG\xe2\x80\x99s Investigative Operations . . . . . . . . . . . . . .                                      .   .   .   .   .   .   . 25\nPeer Review of the Library of Congress OIG\xe2\x80\x99s Audit Operations . . . . . . . . .                                        .   .   .   .   .   .   . 25\nPeer Review of the Federal Election Commission OIG\xe2\x80\x99s Investigative Operations.                                         .   .   .   .   .   .   . 26\n\n\nappendix b. OiG sec emplOyee suGGestiOn prOGram annual repOrt . . . . . . 27\nOverview . . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 27\nSummary of Employee Suggestions and Allegations        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 27\nExamples of Suggestions and Allegations . . . . . .    .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 28\nConclusion . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 30\n\n\n\n\n                                                  APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013                                                                  |   v\n\x0c\x0c                            meSSage fRom the\n                           inSpeCtoR geneRal\n\n\n\n                               I\n                                      am pleased to present this Semiannual Report to Con\xc2\xad\n                                      gress as Inspector General (IG) of the U.S. Securities and\n                                      Exchange Commission (SEC or agency). This report\n                                describes the work of the SEC Office of Inspector General\n                                (OIG) from April 1, 2013, to September 30, 2013. It also\n                                reflects our dual responsibility to report independently to\n                                both the Commission and Congress. The audits, reviews, and\ninvestigations that we describe illustrate the OIG\xe2\x80\x99s efforts to promote the efficiency\nand effectiveness of the SEC.\n\nThis Semiannual Report covers my first full                during the coming months to improve the OIG\xe2\x80\x99s\n6-month reporting period as the SEC IG since being         audit and investigative capabilities. I am working\nsworn in on February 11, 2013. When I arrived, the         closely with the SEC Office of Human Resources to\nSEC OIG had been operating with several staffing           fill critical positions as quickly as possible.\ndeficiencies. I am pleased to report that in the past 6\nmonths we have hired two key senior leaders who            The OIG leadership team continues to review and\nhave greatly improved the efficiency and effective\xc2\xad        strengthen our internal processes and procedures\nness of the SEC OIG. We hired a Deputy IG who              to ensure that we are an effective, responsive entity.\nbrings many years of knowledge of the SEC and the          To that end, we have recently issued revised poli\xc2\xad\nIG community, and we hired an Assistant Inspector          cies and procedures for investigations, and we are\nGeneral for Investigations with extensive experience       working to implement new automated content\nas a criminal investigator and supervisor.                 management systems that will improve our effi\xc2\xad\n                                                           ciency and streamline our processes for both the\nNonetheless, the SEC OIG continues to face a               Office of Audits and the Office of Investigations.\nshortage in both its audit and investigative staff\nand is currently operating at about 70 percent of its      In July 2013, we issued an SEC administrative\ncapacity. I will continue to focus on adding OIG staff     regulation entitled \xe2\x80\x9cRoles, Authority, and Respon-\n\n\n                                                          APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013                 |   1\n\x0csibilities of the Office of Inspector General.\xe2\x80\x9d This   The SEC OIG Office of Investigations completed\nregulation outlines the roles, authorities, and        eight investigations during the reporting period\nresponsibilities of the SEC OIG. It also describes     about various topics, including the unauthorized\nthe obligation of all SEC employees to cooperate       disclosure of nonpublic information, financial con\xc2\xad\nfully with the OIG and ensure access to records and    flicts of interest, and violations of the Privacy Act\npersonnel that the OIG needs during its investiga\xc2\xad     of 1974. Our investigative reports and memoranda\ntions, audits, evaluations, and other activities, as   resulted in five referrals to the agency for consider\xc2\xad\nwell as management\xe2\x80\x99s role in commenting on and         ation of appropriate administrative action, as well\nclosing out recommendations made in OIG reports.       as several specific recommendations for improve\xc2\xad\n                                                       ments in the agency\xe2\x80\x99s policies and procedures.\nDuring the next semiannual reporting period, we\nintend to begin an outreach program to all SEC         In closing, I want to emphasize my firm commit\xc2\xad\nemployees, including those in SEC regional offices.    ment to executing the SEC OIG\xe2\x80\x99s mission to\nThese outreach efforts will further enhance the SEC    promote the integrity, efficiency, and effectiveness\nemployees\xe2\x80\x99 understanding of the role and function      of the programs and operations of the SEC and to\nof the OIG and educate employees on the ethics         reporting our findings and recommendations to\nrequirements and their obligations to report waste,    the agency and Congress. The OIG will improve\nfraud, abuse, and corruption to the appropriate        its efficiency and effectiveness by making organiza\xc2\xad\nauthorities.                                           tional and procedural changes and by increasing its\n                                                       staffing resources. We will also continue to work\nAlthough the SEC OIG has faced challenges dur\xc2\xad         collaboratively with SEC management to assist the\ning this semiannual reporting period, the SEC          agency in addressing the challenges it faces in its\nOIG staff remains dedicated to promoting the           unique and important mission of protecting inves\xc2\xad\nefficiency and effectiveness of the SEC\xe2\x80\x99s programs     tors, maintaining fair, orderly, and efficient mar\xc2\xad\nand operations. During the reporting period, the       kets, and facilitating capital formation.\nOffice of Audits issued two reports that Congress\nhad requested about the economic analyses that the     I appreciate the significant support that the Office\nSEC performs as part of its rulemaking processes.      has received from Congress and the Commission.\nThe reports contain seven recommendations              We look forward to continuing to work closely\nthat, if fully implemented, should strengthen the      with the SEC Chair, Commissioners, and employ\xc2\xad\nSEC\xe2\x80\x99s economic analyses in support of its rule-        ees, as well as Congress, to increase efficiency and\nmakings. The Office of Audits and the Office of        effectiveness in the SEC\xe2\x80\x99s programs and operations.\nInvestigations also worked with SEC management\nto close 62 recommendations made in OIG reports\nissued during this and previous semiannual report\xc2\xad\ning periods.\n                                                                         carl w. hoecker\n                                                                         Inspector General\n\n\n\n\n2   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                             management and\n\n                              adminiStRation\n\n\naGency Overview                                           Protection Corporation (SIPC), and the Financial\n\n\n\nT\n         he SEC\xe2\x80\x99s mission is to protect investors,        Accounting Standards Board (FASB).\n         maintain fair, orderly, and efficient markets,\n         and facilitate capital formation. The SEC        The SEC also reviews disclosures and financial\nstrives to promote a market environment that is           statements of approximately 9,100 reporting com\xc2\xad\nworthy of the public\xe2\x80\x99s trust and characterized by         panies. Recently, the agency\xe2\x80\x99s responsibilities have\ntransparency and integrity. Its core values consist of    increased,\twith\tnew\tor\texpanded\tjurisdiction\tover\t\nintegrity, accountability, effectiveness, teamwork,       securities-based derivatives, hedge fund and other\nfairness, and commitment to excellence. The SEC\xe2\x80\x99s         private fund advisers, credit rating agencies, munici\xc2\xad\ngoals are to foster and enforce compliance with the       pal advisors, clearing agencies, and a new regime for\nFederal securities laws; establish an effective regula\xc2\xad   crowdfunding offerings.\ntory environment; facilitate access to the information\ninvestors need to make informed investment deci\xc2\xad          The SEC accomplishes its mission through 5 main\nsions; and enhance the SEC\xe2\x80\x99s performance through          divisions\xe2\x80\x94Corporation Finance, Enforcement,\neffective alignment and management of human               Investment Management, Trading and Markets, and\nresources, information, and financial capital.            Economic and Risk Analysis\xe2\x80\x94and 21 functional\n                                                          offices. The SEC\xe2\x80\x99s headquarters is in Washington,\nSEC staff members monitor and regulate a securi\xc2\xad          D.C., and there are 11 regional offices located\nties industry comprising more than 25,000 market          throughout the country. As of the end of fiscal\nparticipants, including about 10,600 investment           year (FY) 2013, the SEC employed 4,023 fulltime\nadvisers, 9,700 mutual funds and exchange-traded          equivalent (FTE) employees, consisting of 3,903\nfunds, 4,600 broker-dealers, and approximately            permanent and 120 temporary FTE employees.\n460 transfer agents. The SEC also oversees 17\nnational securities exchanges, 7 active registered        OiG staffinG\nclearing agencies, and 10 nationally recognized           In May 2013, the Inspector General appointed the\nstatistical rating organizations (NRSROs), as well        Deputy Inspector General, and in July 2013, the\nas the Public Company Accounting Oversight                Inspector General appointed the Assistant Inspector\nBoard (PCAOB), the Financial Industry Regula\xc2\xad             General for Investigations. Their biographies are on\ntory Authority (FINRA), the Municipal Securities          the OIG\xe2\x80\x99s website at http://www.sec.gov/about/oig/\nRulemaking Board (MSRB), the Securities Investor          inspector_general_admin_bios.shtml. Although the\n\n\n\n\n                                                          APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013                |    3\n\x0cOIG filled these key leadership roles, several audit     In addition, the OIG developed and issued to all\nand investigative staff positions are vacant. Filling    SEC staff an administrative regulation entitled,\nthose vacancies is a priority for the OIG.               \xe2\x80\x9cRoles, Authority, and Responsibilities of the Office\n                                                         of Inspector General.\xe2\x80\x9d This regulation sets forth in\nOiG Outreach                                             detail the roles, authority, and responsibilities of the\nDuring the semiannual reporting period, the IG           SEC OIG, as well as the roles and responsibilities\nregularly met with the Chair, Commissioners, and         of all SEC employees regarding OIG investigations,\nSEC division and senior officers to foster open com\xc2\xad     audits, evaluations, and other activities. It describes\nmunication at all levels between the OIG and the         employees\xe2\x80\x99 obligation to cooperate fully with the\nagency. This effort ensures that the OIG is kept up to   OIG and to disclose waste, fraud, abuse, and\ndate on significant, current matters that are relevant   corruption to the appropriate authorities, including\nto the OIG\xe2\x80\x99s work. This regular communication            the OIG.\nalso allows the OIG and agency management to\nwork cooperatively to identify the most important        The OIG also intends to begin an outreach pro\xc2\xad\nareas for the OIG\xe2\x80\x99s work, as well as the best means      gram to all SEC employees, including those in SEC\nof addressing the results of that work. The OIG          regional offices. These outreach efforts will include\ncontinually strives to keep apprised of changes to       integrity awareness briefings designed to enhance\nagency programs and operations and will keep SEC         the SEC employees\xe2\x80\x99 understanding of the role and\nmanagement informed of the OIG\xe2\x80\x99s activities and          function of the OIG, as well as to educate employees\nconcerns raised in the course of its work.               on the applicable ethics requirements and their duty\n                                                         to report waste, fraud, abuse, and corruption to the\n                                                         appropriate authorities.\n\n\n\n\n4   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                     CongReSSional\n\n                  ReQueStS and BRiefingS\n\n\n\nT\n        he OIG continued to keep Congress fully       Committee also asked us to identify the three open\n        and currently informed of OIG activities      and unimplemented recommendations that the SEC\n        through briefings, reports, meetings, and     OIG considered to be the most important or urgent.\nresponses to Congressional inquiries. Throughout      In its June 28, 2013, response, the OIG provided\nthe semiannual reporting period, the Inspector Gen\xc2\xad   the Committee with information on how many\neral and OIG staff briefed Congressional staff and    recommendations were open and unimplemented\ndiscussed with them OIG work and issues impact\xc2\xad       and also identified the three open and unimple\xc2\xad\ning the SEC.                                          mented recommendations that the OIG deemed to\n                                                      be the most important or urgent at that time. Two\nIn addition, on June 17, 2013, the U.S. House of      of the three recommendations were implemented\nRepresentatives Committee on Oversight and Gov\xc2\xad       and closed prior to the end of the reporting period.\nernment Reform asked the OIG for information on       SEC management notified the OIG that it intends\nhow many OIG recommendations were open and            to implement the third recommendation during the\nunimplemented, as well as any estimated cost sav\xc2\xad     first quarter of FY 2014.\nings associated with those recommendations. The\n\n\n\n\n                                                      APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013              |   5\n\x0cthe inSpeCtoR geneRal\xe2\x80\x99S Statement\n\n     on the SeC\xe2\x80\x99S management\n\n  and peRfoRmanCe ChallengeS\n\n\n\nT\n        he Reports Consolidation Act of 2000                            to complete annual security awareness training,\n        requires the SEC OIG to identify and report                     information security1 continues to be a management\n        annually on the most serious management                         challenge at the SEC. Specifically, OIT\xe2\x80\x99s compliance\nchallenges that the SEC faces. To identify manage\xc2\xad                      with the Federal Information Security Management\nment challenges, we routinely review past and                           Act (FISMA) remains a management challenge\nongoing audit, investigation, and evaluation work                       this year because OIT has not fully addressed the\nto identify material weaknesses, significant deficien\xc2\xad                  findings and recommendations that were identified\ncies, and vulnerabilities. We compiled this statement                   in the OIG\xe2\x80\x99s previously issued FISMA reports. For\non the basis of the work that we completed over                         example, in the 2012 FISMA Executive Summary\nthe past year; our knowledge of the SEC\xe2\x80\x99s programs                      Report, Report No. 512, issued March 29, 2013,\nand operations; and feedback from SEC staff and                         the OIG found that OIT had not fully addressed\nthe U.S. Government Accountability Office (GAO)                         three findings and six recommendations that were\nauditors who conduct the SEC\xe2\x80\x99s annual financial                         included in the 2011 FISMA Executive Summary\nstatement audit.                                                        Report, Report No. 501, issued February 2, 2012.\n                                                                        The OIG found that OIT had not fully implemented\ninfOrmatiOn security                                                    compliance scanning for network devices, multifac\xc2\xad\nAlthough the Office of Information Technology                           tor authentication for the SEC\xe2\x80\x99s personal identity\n(OIT) has established policies for handling and safe\xc2\xad                   verification program, and baseline security controls\nguarding sensitive and nonpublic information and                        that are tailored for specific information technology\nrequires SEC employees, contractors, and interns                        (IT) systems.\n\n\n\n1   The Federal Information Security Management Act (FISMA) provides that \xe2\x80\x9c[t]he term \xe2\x80\x98information security\xe2\x80\x99 means protecting\n    information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to\n    provide\xe2\x80\x94(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring infor\xc2\xad\n    mation nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure,\n    including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and\n    reliable access to and use of information.\xe2\x80\x9d 44 U.S.C. \xc2\xa7 3542(b)(1).\n\n\n\n\n6   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cWhile the conditions found in the 2012 FISMA                          services and to avoid the contracting out of inher\xc2\xad\nreport could expose the SEC to threats should                         ently governmental functions.\nlayered controls break down, OIT made progress\nthis year in addressing the findings and recommen\xc2\xad                    Despite those improvements, the OIG has found\ndations that posed a greater risk to the SEC\xe2\x80\x99s IT                     that the SEC\xe2\x80\x99s monitoring of its contracts is a con\xc2\xad\nenvironment. However, OIT has not fully addressed                     tinuing challenge. Specifically, the OIG has obtained\nsome outstanding significant findings and recom\xc2\xad                      information indicating that there may be insufficient\nmendations.                                                           controls over the tracking of funds or the approval\n                                                                      of invoices for certain contracts and/or interagency\nInformation security is a particularly difficult man\xc2\xad                 agreements, as well as inconsistencies between the\nagement challenge because the SEC not only shares                     nature of the services provided and the requirements\ninformation internally among its divisions and                        of the applicable task order. We are planning audit\noffices, but also shares information externally with                  work in this area and will continue to monitor it\nthe regulated community and financial regulators.                     closely.\nThis sharing of external information is necessary to\naccomplish the SEC\xe2\x80\x99s mission of protecting inves\xc2\xad                     financial manaGement\ntors and maintaining fair, orderly, and efficient                     The GAO\xe2\x80\x99s audit of the SEC\xe2\x80\x99s FY 2012 finan\xc2\xad\nmarkets that facilitate capital formation. We will                    cial statements2 found that the SEC\xe2\x80\x99s financial\ncontinue to review OIT\xe2\x80\x99s security controls over the                   statements were fairly presented, in all material\nSEC\xe2\x80\x99s information systems during the upcoming                         respects, in conformity with U.S. generally accepted\nannual FISMA assessment. We will also continue                        accounting principles. That audit also found that,\nto review the SEC\xe2\x80\x99s handling of sensitive, nonpublic                  although internal controls could be improved, the\ninformation.                                                          SEC maintained, in all material respects, effective\n                                                                      internal controls over financial reporting. How\xc2\xad\nprOcurement and cOntractinG                                           ever, the GAO identified significant deficiencies in\nSince we first identified the SEC\xe2\x80\x99s process for                       accounting for budgetary resources and property\nprocurement and contracting as a management                           and equipment. The GAO found that these defi\xc2\xad\nchallenge in FY 2008, the Office of Acquisitions                      ciencies are related, in part, to the SEC\xe2\x80\x99s transition\n(OA) has improved its internal controls in this area.                 of its core financial system to the Department of\nMost recently, in July 2013, OA published a revised                   Transportation\xe2\x80\x99s Enterprise Service Center Federal\nadministrative regulation and operating procedure                     Shared Service Provider (FSSP).\non the management and administration of service\ncontracts. The revised regulation provides direc\xc2\xad                     In FY 2012, the OIG identified the inherent risks\ntion for the avoidance of contracting for inherently                  that are associated with transitioning to a new\ngovernmental functions or personal services, as well                  financial system as a management challenge. In its\nas appropriate management procedures for acquir\xc2\xad                      management report to the SEC issued in April 2013,\ning and managing functions closely associated with                    the GAO noted the following:\ninherently governmental functions and critical func\xc2\xad\ntions. The operating procedure is designed to assist                        [I]n April 2012, SEC migrated its core financial\nthe SEC in addressing service contracts and personal                        system operations to a shared service provider.\n\n\n\n\n2   GAO\xe2\x80\x99s FY 2012 financial statement audit included SEC\xe2\x80\x99s general purpose and Investor Protection Fund (IPF) financial statements.\n\n\n\n\n                                                                     APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013                           |   7\n\x0c        . . . [W]e identified new control deficiencies dur\xc2\xad             describing SEC\xe2\x80\x99s culture, many current and for\xc2\xad\n        ing our fiscal year 2012 audit related to SEC\xe2\x80\x99s                 mer SEC employees cited low morale, distrust\n        monitoring controls over the service provider\xe2\x80\x99s                 of management, and the compartmentalized,\n        core financial system operations, including                     hierarchical, and risk-averse nature of the orga\xc2\xad\n        those related to budgetary accounting and                       nization. According to an Office of Personnel\n        reporting activities.3                                          Management (OPM) survey of federal employ\xc2\xad\n                                                                        ees, SEC currently ranks 19 of 22 similarly\nFurther, the GAO stated that the \xe2\x80\x9cSEC did not                           sized federal agencies based on employee satis\xc2\xad\ndevelop monitoring procedures over property and                         faction and commitment. GAO\xe2\x80\x99s past work on\nequipment transactions recorded by its service                          managing for results indicates that an effective\nprovider at the time of its transition to the FSSP\xe2\x80\x99s                    personnel management system will be critical\ngeneral ledger system.\xe2\x80\x9d4 We will continue to moni\xc2\xad                      for transforming SEC\xe2\x80\x99s organizational culture.5\ntor the SEC\xe2\x80\x99s use of the FSSP.\n                                                                   One key area that the GAO report highlighted as\nhuman capital manaGement                                           needing improvement was workforce planning. The\nSection 962 of the Dodd-Frank Wall Street Reform                   GAO noted that the \xe2\x80\x9cSEC has not yet developed\nand Consumer Protection Act (Dodd-Frank Act)                       a comprehensive workforce plan\xe2\x80\x9d and, as a result,\nrequired the GAO to report on the SEC\xe2\x80\x99s personnel                  \xe2\x80\x9cwill not be able to make well-informed decisions\nmanagement. In its report issued in July 2013, the                 on how to best meet current and future agency\nGAO concluded the following:                                       needs.\xe2\x80\x9d6 The GAO further found that while the SEC\n                                                                   has made efforts to improve communication and\n        Based on analysis of views from Securities and             collaboration, it \xe2\x80\x9chas not yet fully addressed barri\xc2\xad\n        Exchange Commission (SEC) employees and                    ers.\xe2\x80\x9d7 The SEC has recently launched the SEC Local\n        previous studies from GAO, SEC, and third                  Labor Management Forum under Executive Order\n        parties, GAO determined that SEC\xe2\x80\x99s organi\xc2\xad                 13522, Creating Labor-Management Forums to\n        zational culture is not constructive and could             Improve Delivery of Government Services, to foster\n        hinder its ability to effectively fulfill its mis\xc2\xad         a cooperative and productive form of labor-man\xc2\xad\n        sion. Organizations with constructive cultures             agement relations. The OIG will continue to review\n        are more effective and employees also exhibit              the progress of this and other efforts to improve the\n        a stronger commitment to mission focus. In                 SEC\xe2\x80\x99s management of human capital.\n\n\n\n\n3   GAO-13-274R, Management Report: Improvements Needed in SEC\xe2\x80\x99s Internal Controls and Accounting Procedures, April 4, 2013,\n    p. 3 (footnote omitted).\n4   Id., p. 7.\n5   GAO-13-621, Securities and Exchange Commission: Improving Personnel Management Is Critical for Agency\xe2\x80\x99s Effectiveness, July\n    2013.\n6   Id.\n7   Id.\n\n\n\n\n8   |    OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c          CooRdination With otheR\n\n         offiCeS of inSpeCtoR geneRal\n\n\n\nD\n         uring this semiannual reporting period, the    General community on issues involving criminal\n         SEC OIG coordinated its activities with        investigations and criminal investigations person\xc2\xad\n         those of other OIGs, as required by Section    nel and establish criminal investigative guidelines.\n4(a)(4) of the Inspector General Act of 1978, as        The Investigations Committee revised, and issued\namended. Specifically, the OIG participated in the      in June 2013, the CIGIE Guidelines on Undercover\nmeetings and activities of the Council of Inspectors    Operations.\nGeneral on Financial Oversight (CIGFO), which\nwas established by the Dodd-Frank Act.                  Moreover, the Counsel to the IG participated in the\n                                                        activities of the Council of Counsels to the Inspec\xc2\xad\nThe chairman of CIGFO is the IG of the Depart\xc2\xad          tors General. The Council is an informal organi\xc2\xad\nment of Treasury. Other members of the Council are      zation of OIG attorneys, throughout the Federal\nthe Inspectors General of the Board of Governors of     government, who meet monthly and coordinate and\nthe Federal Reserve System, the Commodity Futures       share information.\nTrading Commission, the Department of Housing\nand Urban Development, the Federal Deposit Insur\xc2\xad       The OIG Office of Audits also participated in vari\xc2\xad\nance Corporation, the Federal Housing Finance           ous CIGIE activities. For example, a representative\nAgency, the National Credit Union Administration,       of the Office of Audits was a member of a working\nand the SEC, and the Special Inspector General          group that is revising the Guide for Conducting\nfor the Troubled Asset Relief Program. Under the        External Peer Reviews of the Audit Organizations\nDodd-Frank Act, CIGFO is required to meet at            of Federal Offices of Inspector General. The Office\nleast quarterly to facilitate the sharing of informa\xc2\xad   of Audits also worked on the curriculum review\ntion. Those meetings focus on issues applicable to      conference for the CIGIE introductory auditor\nthe broader financial sector and ways to improve        training program. In addition, the Office of Audits\nfinancial oversight.                                    participated in the CIGIE Federal Audit Executive\n                                                        Council\xe2\x80\x99s Audit Policies and Practices Committee.\nIn addition, the IG attended meetings of the Council\nof the Inspectors General on Integrity and Efficiency   Finally, in the semiannual reporting period, OIG\n(CIGIE) and served as the Chairman of the CIGIE         staff assisted another OIG in comparing its busi\xc2\xad\nInvestigations Committee. The mission of the            ness practices and performance metrics to those of\nInvestigations Committee is to advise the Inspector     other OIGs (i.e., \xe2\x80\x9cbenchmarking\xe2\x80\x9d), in coordination\n\n\n\n\n                                                        APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |    9\n\x0cwith CIGIE, in two areas: 1) measuring savings              efforts: 1) the IG\xe2\x80\x99s presentation at an SEC town hall\nand return on investment of inspections, evalua\xc2\xad            meeting; 2) the OIG FY 2014 audit planning process\ntions, and performance audits; and 2) developing            (which included meetings with almost all of the SEC\nan OIG outreach program at multiple agency levels           divisions and offices); 3) publication of a new OIG\nto provide information about the results of OIG             regulation, for which the OIG provided staff with\nactivities\tand\tto\tsolicit\tinput\tfor\tfuture\tOIG\tprojects.\t   an email address for submitting questions about the\nTo support these benchmarking efforts, the SEC              regulation; and 4) planned integrity awareness brief\xc2\xad\nOIG shared information on various OIG outreach              ings in SEC regional offices.\n\n\n\n\n10   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                  auditS and eValuationS\n\n\nOverview                                                   The primary purpose of an audit or evaluation is to\n\n\n\nT\n         he Inspector General Act of 1978, as              review the agency\xe2\x80\x99s past operations and performance\n         amended, requires OIGs to conduct and             to determine compliance with applicable laws, rules,\n         supervise independent audits and evalua\xc2\xad          and regulations. At the completion of an audit or\ntions of their agencies\xe2\x80\x99 programs, operations, and         evaluation, the OIG issues an independent report in\nactivities. The SEC Office of Audits focuses on            which it identifies any deficiencies and makes recom\xc2\xad\nconducting, coordinating, and supervising indepen\xc2\xad         mendations to correct those deficiencies or increase\ndent audits and evaluations of the SEC\xe2\x80\x99s internal          efficiencies in an SEC program.\nprograms and operations at its headquarters and\n11 regional offices. The Office of Audits also hires,\nas\tneeded,\tcontractors\tand\tsubject\tmatter\texperts,\t        audits and evaluatiOns\nwho provide technical expertise in specific areas, to      cOnducted\nperform work on behalf of the OIG. In addition, the\nOffice of Audits monitors the SEC\xe2\x80\x99s progress in tak\xc2\xad       implementation of the current Guidance\ning corrective actions on recommendations in OIG           on economic analysis in sec rulemakings\naudit and evaluation reports.                              (report no. 516)\n                                                           In March 2012, the SEC issued guidance for staff to\nEach year, the Office of Audits prepares an annual         follow in conducting economic analysis in agency\naudit plan. The plan includes work that the Office         rulemaking that contained both substantive and pro\xc2\xad\nselects for audit or evaluation on the basis of risk       cess requirements (referred to as the \xe2\x80\x9cCurrent Guid\xc2\xad\nand materiality, known or perceived vulnerabilities        ance\xe2\x80\x9d). Beginning in December 2012, in response\nand inefficiencies, resource availability, and informa\xc2\xad    to a Congressional request, the OIG evaluated the\ntion received from Congress, internal SEC staff, the       SEC\xe2\x80\x99s implementation of the Current Guidance. In\nGAO, and the public.                                       response to that Congressional request, the SEC\n                                                           OIG examined whether the SEC had 1) used the\nThe Office conducts its audits in compliance with          Current Guidance since its issuance in March 2012\nGenerally Accepted Government Auditing Standards           to develop economic analyses in its rulemakings;\n(GAGAS) issued by the Comptroller General of the           2) developed procedures to implement the Current\nUnited States. OIG evaluations follow applicable           Guidance; 3) improved its process for economic\nCIGIE Quality Standards for Inspections and Evalu\xc2\xad         analysis; and 4) incorporated comments from the\nations and GAGAS standards.                                OIG and others in the Current Guidance.\n\n\n                                                          APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |   11\n\x0cThe OIG issued the final report on June 6, 2013. In     for economic analysis, it also acknowledges the need\nthat report, the OIG found that the SEC had used        for flexibility in the context of particular rulemak\xc2\xad\nthe Current Guidance since its issuance in March        ings. We found that the SEC rules in our sample fol\xc2\xad\n2012 to develop economic analyses for rulemakings.      lowed the spirit and intent of the Current Guidance.\nHowever, the OIG determined that the SEC had not\nissued written operating procedures implementing        All of the rules that we evaluated met two of the\nthat Guidance. The OIG also found that the SEC          four substantive requirements specified in the Cur\xc2\xad\nhas taken steps to improve its process for economic     rent\tGuidance\xe2\x80\x94identifying\ta\tjustification\tfor\tthe\t\nanalysis by requiring the participation of specially    rule and considering alternatives to the rule\xe2\x80\x94and the\nqualified SEC economists in economic analysis and       one process requirement for integrating economic\nthe development of a formal review and concurrence      analyses into SEC rulemakings. Further, we found\nprocess for economic analysis. Finally, we found that   no notable differences in economic methodologies in\nthe SEC had incorporated, into its Current Guid\xc2\xad        support of rulemakings across rulemaking divisions.\nance, recommendations that it had received from the\nSEC OIG\xe2\x80\x99s followup review of Dodd-Frank rule-           As to the other two substantive requirements in the\nmaking, a GAO report on Dodd-Frank rulemaking,          Current Guidance, we determined that some rules\nand a U.S. Court of Appeals opinion that vacated an     could have better clarified and specified the baselines\nSEC rule.                                               in the economic analysis section of the rule releases\n                                                        and that some descriptions of baseline conditions\nIn its report, the OIG made one recommendation\xe2\x80\x94         did not specifically address the state of efficiency,\nthat the SEC issue written operating procedures for     competition, and capital formation. In addition,\nits economic analysis process implementing the Cur\xc2\xad     we found that only 1 of the 12 rules in our sample\nrent Guidance. The intent of the recommendation         included a quantification of benefits of the regula\xc2\xad\nwas to strengthen that process. Management agreed       tory action. Moreover, where the rulewriting team\nto implement the recommendation, and the SEC            determined that the quantification of certain costs\nChair has issued written \xe2\x80\x9cOperating Procedures for      or benefits was not practicable, the reasons for that\nEconomic Analysis to Implement the Current Guid\xc2\xad        determination were not always fully documented in\nance.\xe2\x80\x9d As a result, the recommendation has been         the release text.\nclosed. The OIG\xe2\x80\x99s report is available on its website\nat http://www.sec-oig.gov/Reports/Audits                We also found that 1) the Financial Industry\nInspections/2013/516.pdf.                               Regulatory Authority, other self-regulatory organi\xc2\xad\n                                                        zations\tunder\tthe\tSEC\xe2\x80\x99s\tjurisdiction,\tand\tthe\tPublic\t\nuse of the current Guidance on                          Company Accounting Oversight Board are not\neconomic analysis in sec rulemakings                    required to follow the SEC\xe2\x80\x99s Current Guidance in\n(report no. 518)                                        their rulemakings; and 2) it would be beneficial for\nIn response to the Congressional request discussed      the SEC to explore estimation methodologies and\nin the Report No. 516 summary above, the OIG            practices that other Federal administrative agencies\ncontracted the services of HDR Engineering, Inc., to    use in their rulemakings.\nconduct a more extensive evaluation of the SEC\xe2\x80\x99s use\nof the Current Guidance in its rulemakings.             The OIG issued the final report on June 6, 2013, and\n                                                        made six recommendations intended to strengthen\nThe evaluation focused on whether economic analy\xc2\xad       the SEC\xe2\x80\x99s economic analysis process. For example,\nses in SEC rulemakings complied with the principles     we recommended that, in consultation with the\nand policies of the Current Guidance. While the         SEC rulemaking divisions and offices, the Division\nCurrent Guidance sets forth certain requirements        of Risk, Strategy, and Financial Innovation (now\n\n\n\n12   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0ccalled the Division of Economic and Risk Analysis)       On the basis of NIT\xe2\x80\x99s recommendations, we will\ndevelop a general outline for economic analysis sec\xc2\xad     respond to the standardized questions, which all\ntions in rule releases. We also recommended that the     executive agencies are required to answer, that are\nDivision consider whether to create a management         contained in \xe2\x80\x9cFY 2013 Inspector General Federal\ncontrol, such as a guide, to achieve greater consis\xc2\xad     Information Security Management Act Reporting\ntency in presentation of economic analyses.              Metrics.\xe2\x80\x9d The contractor will summarize its recom\xc2\xad\n                                                         mendations and findings in a report, which we will\nSEC management agreed to implement all of the            issue before the end of the next semiannual report\xc2\xad\nreport\xe2\x80\x99s recommendations and was in the process          ing period.\nof doing so at the end of the semiannual reporting\nperiod. The OIG\xe2\x80\x99s report is available on its website     audit of Government purchase card and\nat http://www.sec-oig.gov/Reports/Audits                 convenience check Operations and\nInspections/2013/518.pdf.                                practices at the sec\n                                                         On October 5, 2012, President Obama signed Public\n                                                         Law 112-194, Government Charge Card Abuse\npendinG audits and evaluatiOns                           Prevention Act of 2012 (the Act). The Act requires\n                                                         heads of executive agencies that issue and use\nreview of the sec\xe2\x80\x99s 2013 federal                         purchase cards and convenience checks to establish\ninformation security management act                      and maintain safeguards and internal controls over\n(fisma) requirements                                     their usage. The Act also requires the inspector\nFISMA requires each Federal agency to develop,           general of each executive agency to conduct peri\xc2\xad\ndocument, and implement an agencywide program            odic assessments to identify and analyze the risks of\nthat provides security for the information and infor\xc2\xad    illegal, improper, or erroneous uses of purchase cards\nmation systems supporting the operations and assets      or convenience checks and to perform analysis or\nof the agency. FISMA further requires the agency\xe2\x80\x99s       audits of purchase card transactions, as necessary.\ninspector general to independently evaluate and\nreport annually on how the agency\xe2\x80\x99s chief informa\xc2\xad       The OIG is conducting an audit of the SEC\xe2\x80\x99s\ntion officer, senior agency official for privacy, and    government purchase card and convenience check\nprogram officials implement the agency\xe2\x80\x99s informa\xc2\xad        operations\tand\tpractices.\tThe\tobjectives\tof\tthe\t\ntion security program.                                   audit are to:\n                                                         \xe2\x80\xa2\t determine\twhether\tthe\tSEC\xe2\x80\x99s\tpurchase\tcard\tand\t\nThe OIG hired a contractor, Networking Institute             convenience check programs operate effectively\nof Technology, Inc. (NIT), which has information             and are properly managed in compliance with\ntechnology expertise, to conduct the OIG\xe2\x80\x99s FY 2013           governing laws and regulations and agency\nFISMA review of the SEC\xe2\x80\x99s information security               policy; and\nprogram. NIT will evaluate and report to us on the       \xe2\x80\xa2\t assess\twhether\tthe\tSEC\xe2\x80\x99s\tpurchase\tcard\tand\t\nfollowing aspects of the SEC\xe2\x80\x99s security program:             convenience check programs\xe2\x80\x99 internal controls\ncontinuous monitoring; configuration management;             have been adequately designed, appropriately\nidentity and access management; incident response            implemented, and are operating effectively to\nand reporting; risk management; security training;           detect misuse, fraud, waste, or abuse by card\xc2\xad\nplan of action and milestones process; remote access         holders or others who attempt to manipulate\nmanagement; contractor systems; and security                 the programs.\ncapital planning.\n                                                         The OIG will also determine whether the SEC has\n                                                         best practices for its purchase card program and\n\n\n\n                                                        APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |   13\n\x0cwhether there are areas that need improvement. We           tion system media, when it leaves the SEC\xe2\x80\x99s control,\nexpect to issue a final report in the next semiannual       has been properly sanitized of 1) sensitive/nonpublic\nreporting period.                                           information, 2) controlled unclassified information,\n                                                            and 3) personally identifiable information; or, that the\nassessment of the sec\xe2\x80\x99s physical                            information media has been properly disposed of, if it\nsecurity program                                            cannot\tbe\tsanitized.\tThe\tobjectives\tof\tthe\tevaluation\t\nIn 2012, the OIG Office of Investigations completed         are to examine whether the SEC:\nan investigation of security violations at an SEC facil\xc2\xad    \xe2\x80\xa2\t adheres\tto\tits\tgoverning\tpolicies\tand\tprocedures\t\nity. The Office of Investigations referred the matter to         and Federal standards and policies for the\nthe Office of Audits, for consideration of appropriate           sanitization of information system media and\naudit work, on the basis of deficiencies that it had             portable and removable storage devices that are\nidentified in the physical security of SEC facilities.           used on SEC\xe2\x80\x99s network;\n                                                            \xe2\x80\xa2\t ensures\tthat\tsensitive/nonpublic\tinformation\t\nThe OIG has hired a contractor to assess the SEC                 or personally identifiable information data\nOffice of Support Operations (OSO) physical secu\xc2\xad                is removed from information system media\nrity program\xe2\x80\x99s controls to safeguard SEC person\xc2\xad                 devices that are no longer being used; and\nnel and property. Specifically, the assessment will         \xe2\x80\xa2\t has\tinternal\tcontrols\tand\ttesting\tmethods\tfor\t\nexamine 1) the OSO\xe2\x80\x99s compliance with governing                   the sanitization of information system media\nphysical security Federal laws and regulations and               that are effective in minimizing the risk that\napplicable SEC policy and procedures; 2) the effec\xc2\xad              sensitive/nonpublic information or personally\ntiveness of physical security policies and procedures;           identifiable information is not unintentionally\nand 3) the adequacy of preventive internal control               retained on information system media that are\nprocedures and practices to oversee physical security            no longer being used.\nat SEC facilities. The contractor will summarize its\nfindings in a report, which the OIG will issue, on          After completing its assessment, the contractor will\ncompletion of the assessment.                               summarize its findings in a report, which the OIG\n                                                            will issue.\nassessment of the sanitization of the\nsec\xe2\x80\x99s information system media                              assessment of the sec\xe2\x80\x99s hiring and\nThe National Institute of Standards and Technology          promotion practices for senior level staff\n(NIST) issued guidelines (NIST Special Publication          The OIG is conducting an audit of the SEC\xe2\x80\x99s practic\xc2\xad\n800-88, Guidelines for Media Sanitization, September        es for hiring senior level officials. We have completed\n2006) that instruct agencies to properly sanitize digital   our fieldwork and are drafting the audit report. The\nand nondigital information system media, such as dis\xc2\xad       audit examines whether the SEC Office of Human\nkettes, magnetic tapes, external/internal hard drives,      Resources (OHR) adheres to applicable Federal\nflash/thumb drives, optical disks, paper/microfilm,         statutes and regulations and has adequate policies\nservers, routers, and switches containing sensitive data    and procedures for filling senior level vacancies. The\nbefore the items leave the agency\xe2\x80\x99s control.                audit is also reviewing whether OHR communicates\n                                                            its hiring authority, decisions, and changes to the\nThe OIG hired a contractor to evaluate the SEC\xe2\x80\x99s            appropriate personnel and takes appropriate action\ncontrols for sanitization of information system             on any improper hirings or promotions.\nmedia before the media leaves the SEC\xe2\x80\x99s control.\nThe contractor will examine whether the SEC has             We expect to issue a final report during the next\neffective policies and practices to ensure that informa\xc2\xad    semiannual reporting period.\n\n\n\n\n14   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                                 inVeStigationS\n\n\nOverview                                                   to receive and process tips and complaints about\n\n\n\nT\n        he Inspector General Act of 1978, as               fraud, waste, or abuse related to SEC programs and\n        amended, requires OIGs to conduct inde\xc2\xad            operations. The Hotline allows individuals to report\n        pendent investigations of potential miscon\xc2\xad        their allegations to the OIG directly and confidentially.\nduct involving their agencies\xe2\x80\x99 programs, operations,\nand activities. The SEC Office of Investigations\nfocuses on investigating allegations of wrongdo\xc2\xad           investiGatiOns cOnducted\ning related to the SEC\xe2\x80\x99s programs and operations\nand may address administrative, civil, and criminal        investigation of contract and ethics\nviolations\tof\tlaws\tand\tregulations.\tThe\tsubject\tof\t        violations (report no. OiG-576)\nan OIG investigation can be any agency employee,           The OIG investigated allegations that a former SEC\ncontractor, or consultant, or any person or entity         headquarters manager authorized a contract with\ninvolved in alleged wrongdoing affecting the SEC\xe2\x80\x99s         a technology company to provide certain services\nprograms and operations.                                   at SEC Headquarters by individuals with whom\n                                                           the manager was affiliated in a personal capacity,\nIf an investigation reveals evidence of criminal activ\xc2\xad    even though the SEC had an existing contract with\nity, the Office of Investigations refers the matter to     another entity to provide these types of services.\nthe Department of Justice for possible prosecution\nor recovery of monetary damages and penalties. If          The OIG found evidence that the former manager\nthe Office of Investigations finds evidence of mis\xc2\xad        had failed to disclose to the contracting officer that\nconduct, it forwards a report of investigation to the      he had personal affiliations with the individuals\nappropriate management officials for consideration         to be employed under the contract and that the\nof disciplinary or remedial action.                        manager had provided a list of individuals for the\n                                                           technology company to hire. Although the awarded\nThe Office of Investigations adheres to the Council        contract included several option years and was for\nof the Inspectors General on Integrity and Efficien\xc2\xad       a maximum award amount of $3.5 million, the\ncy\xe2\x80\x99s Quality Standards for Investigations and appli\xc2\xad       SEC canceled the contract after only approximately\ncable guidelines issued by the U.S. Attorney General.      $5,800 was billed because the employment at SEC\n                                                           facilities of the individuals hired under the contract\nThe Office of Investigations manages the OIG Hot-          violated a policy of their primary employer, which is\nline, which is available 24 hours a day, 7 days a week,    an entity other than the technology company.\n\n\n                                                          APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013                  |   15\n\x0cThe former manager resigned before the OIG\xe2\x80\x99s            allegations of prohibited personnel\ninvestigation was completed, and the United States      practices (report no. OiG-586)\nAttorney\xe2\x80\x99s Office declined prosecution of the mat\xc2\xad      The OIG investigated allegations that certain SEC\nter. Therefore, the OIG determined that no further      senior officers had violated the merit system prin\xc2\xad\ninvestigative action was warranted and closed the       ciples and committed prohibited personnel practices\nmatter.                                                 by hiring former colleagues to work at the SEC.\n\nalleged prohibited personnel practices                  During its investigation, the OIG did not identify\nand improper telework arrangements                      evidence of any intent to provide an improper\n(case no. OiG-583)                                      advantage or preference in hiring. However, the\nThe OIG investigated a complaint of improper            OIG found that language in some of the SEC docu\xc2\xad\npractices by certain former managers at SEC             ments that one of the senior officers had prepared\nheadquarters, including a promotion process that        and used for hiring was similar to language in mate\xc2\xad\nallegedly violated the merit systems principles and     rials that the senior officer had received from her\nthe alleged use of improper telework arrangements.      former colleagues who ultimately applied for and\nSpecifically, the complaint alleged that former         obtained the positions. The OIG referred its report\nOHR managers 1) developed, approved, and used           to management for consideration of administrative\nvacancy announcements to facilitate the improper        action.\npromotions of two headquarters\xe2\x80\x99 employees who\neach had arrangements to telework from distant          allegations of false statements\nlocations 5 days per week; and 2) permitted those       (report no. OiG-587)\nemployees to telework 100 percent from remote           The OIG investigated allegations that a former SEC\nlocations while collecting geographic locality pay      Chairman provided inaccurate testimony during a\nthat was not aligned with their actual physical loca\xc2\xad   hearing before a Congressional subcommittee in\ntions or residences.                                    July 2011.\n\nThe OIG investigation did not substantiate a viola\xc2\xad     The OIG did not identify evidence that the Chair\xc2\xad\ntion of the merit system principles or instances of     man\xe2\x80\x99s testimony was intentionally inaccurate. The\nprohibited personnel practices by former man\xc2\xad           OIG found that the contemporaneous documenta\xc2\xad\nagement in the promotion of either employee.            tion (i.e., written record of events as they occurred)\nAdditionally, the OIG found that the 5-day, long-       and recollections of the witnesses were generally\ndistance telework arrangements\xe2\x80\x94such as those in         consistent with the former Chairman\xe2\x80\x99s testimony.\nquestion\xe2\x80\x94were permissible under relevant SEC            The U.S. Attorney\xe2\x80\x99s Office declined prosecution of\npolicies and procedures. However, the OIG found         the matter. Therefore, the OIG concluded its inves\xc2\xad\nthat one teleworking employee\xe2\x80\x99s official duty station   tigation.\nwas determined improperly and that, as a result,\nthe employee had been paid incorrectly. During the      allegations of privacy act violations\nprior semiannual reporting period, the OIG had          (report no. OiG-588)\nissued an investigative memorandum to manage\xc2\xad           The OIG investigated allegations that a former SEC\nment (IM-13-0001) to address that issue, as well as     employee had violated the Privacy Act of 1974\na similar issue identified in another investigation.    by disclosing certain SEC employees\xe2\x80\x99 personally\nThat memorandum is available on the OIG website         identifiable information (PII). The OIG conducted\nat http://www.sec-oig.gov/Reports/OOI/2013/             this\tinvestigation\tjointly\twith\tthe\tOIG\tfor\tthe\tU.S.\t\nIM-13-001(Long-Distance-Telework).pdf.                  Agency for International Development (USAID).\n\n\n\n\n16   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cThe USAID OIG had notified the SEC OIG that                of emails and interviews of SEC staff, the OIG did\nthe former SEC employee, who was working for a             not identify the individual who had provided the\nFederal agency under the USAID OIG\xe2\x80\x99s oversight,            information to the media outlet. On July 15, 2013,\nhad uploaded files that contained SEC employees\xe2\x80\x99           the OIG issued an investigative memorandum to\nPII to his new agency\xe2\x80\x99s computer system.                   management (IM-13-0002) to address the unauthor\xc2\xad\n                                                           ized disclosure of nonpublic information and then\nThe OIG did not identify any information that              concluded this investigation. That memorandum,\nwould support a criminal violation of the Privacy          which made four recommendations for improve\xc2\xad\nAct, and the U.S. Attorney\xe2\x80\x99s Office declined pros\xc2\xad         ments in controls relating to nonpublic and sensi\xc2\xad\necution of the case. The former SEC employee               tive information, is available on the OIG website\nadmitted that he took the files from the SEC\xe2\x80\x99s             at http://www.sec-oig.gov/Reports/OOI/2013/IM\xc2\xad\ncomputer system but stated that he did not intend          13-002(Disclosure_of_Nonpublic_Information).pdf.\nto take PII and was not aware that the data he took\nfrom the SEC contained PII. The OIG also did not           violations of sec ethics rules\nidentify any information showing that the SEC PII          (report no. OiG-594)\nwas made public or circulated beyond the former            The OIG investigated the failure of an SEC Senior\nSEC employee\xe2\x80\x99s personal thumb drive and current            Officer (SO) to report, on financial disclosure state\xc2\xad\nFederal employer\xe2\x80\x99s computer network.                       ments, the securities holdings of the SO\xe2\x80\x99s spouse and\n                                                           to comply with the SEC\xe2\x80\x99s supplemental ethics rules\nThe\tOIG\treported\tthe\tfindings\tof\tthe\tjoint\tinvestiga\xc2\xad      about employee financial transactions. The SEC\ntion to SEC management on April 30, 2013. On               Ethics Counsel had referred this matter to the OIG.\nJuly 8, 2013, the SEC Chief Information Officer\nnotified possibly affected individuals of the potential    Through its investigation, the OIG found evidence\ndata breach but also informed them that it did not         that the SO had not complied with various pro\xc2\xad\nappear that any third party had inappropriately            visions of the SEC\xe2\x80\x99s Supplemental Ethics Rules\naccessed their PII.                                        because, for example, 1) the SO\xe2\x80\x99s spouse held a\n                                                           security interest (\xe2\x80\x9cimputed\xe2\x80\x9d to the SO by virtue of\nalleged leak of information contained                      their marriage) in entities directly regulated by the\nin an OiG report (case no. OiG-590)                        SEC; 2) the SO did not preclear, report, or certify\nThe OIG investigated an alleged leak of information        the\tvast\tmajority\tof\tthe\tspouse\xe2\x80\x99s\tfinancial\tholdings;\t\ncontained in a report of investigation that the OIG        and 3) the SO did not report all assets required to\npreviously issued to the SEC about the mismanage\xc2\xad          be disclosed on the financial disclosure forms. The\nment of a computer security lab in the SEC Divi\xc2\xad           OIG also identified evidence that the SO had worked\nsion of Trading and Markets. Specifically, articles        on one matter that involved former employees of\npublished by a third-party media outlet discussed          a company in which the SO\xe2\x80\x99s spouse owned stock.\ninformation that SEC management considered to              Further, the OIG found that the SO had disclosed\nbe nonpublic and that SEC management previously            nonpublic information to the SO\xe2\x80\x99s spouse.\nhad redacted from the version of the investigative\nreport that was made available outside the SEC.            The United States Attorney\xe2\x80\x99s Office declined pros\xc2\xad\n                                                           ecution of the matter and, on September 3, 2013,\nThe OIG found that the articles published by the           the OIG reported the findings of its investigation\nmedia outlet contained information that had been           to SEC management. Management\xe2\x80\x99s decision on\nredacted from the OIG\xe2\x80\x99s report and was not publicly        administrative action was pending at the end of the\navailable. However, on the basis of the OIG\xe2\x80\x99s review       semiannual reporting period.\n\n\n\n\n                                                          APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |   17\n\x0c                         ReVieW of legiSlation\n\n                           and RegulationS\n\n          During this semiannual reporting period, the OIG reviewed and monitored the following legislation:\n\n          p.l. 113-6       Consolidated and Further Continuing Appropriations Act, 2013,\n                           Section 3003 (enacted March 26, 2013)\n\n          p.l. 112-194     Government Charge Card Abuse Prevention Act of 2012\n                           (enacted October 5, 2012)\n\n          p.l. 112-199     Whistleblower Protection Enhancement Act of 2012\n                           (enacted November 27, 2012)\n\n          p.l. 112-239     National Defense Authorization Act for Fiscal Year 2013\n                           (enacted January 3, 2013)\n\n\n\n\n                         management deCiSionS\n\n\n     status of recommendations with no management decisions\n     management decisions have been made on all audit reports issued before the beginning of\n     this reporting period.\n\n     revised management decisions\n     no management decisions were revised during the period.\n\n     agreement with significant management decisions\n     the OiG agrees with all significant management decisions regarding audit\n     recommendations.\n\n     instances where the agency refused or failed to provide information to the OiG\n     during this reporting period, there were no instances where the agency unreasonably\n     refused or failed to provide information to the OiG.\n\n\n\n\n18    |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                                            taBleS\ntable 1. list of reports: audit and evaluations\n\n     report number                                title                                  date issued\n         516          implementation of the current Guidance on economic analysis in\n                      sec rulemakings                                                     6/6/2013\n         518          use of the current Guidance on economic analysis in\n                      sec rulemakings                                                     6/6/2013\n         520          library of congress Office of inspector General\n                      system review report                                                9/3/2013\n\n\n\ntable 2. reports issued with costs questioned or funds put to better use\n(including disallowed costs)\n\n                                                                        no. of reports       value\na. reports issued prior to this period\n      for which no management decision had been made on any\n      issue at the commencement of the reporting period                        0              $0\n      for which some decisions had been made on some issues at the\n      commencement of the reporting period                                     0              $0\nb.    reports issued during this period                                        0              $0\n                                          total of categories a and b          0              $0\nc.    for which final management decisions were made during this period        0              $0\nd.    for which no management decisions were made during this period           0              $0\ne.    for which management decisions were made on some issues\n      during this period                                                       0              $0\n\n                                           total of categories c, d, and e     0              $0\n\n\n\n\n                                                      APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013         |   19\n\x0ctable 3. reports with recommendations on which corrective action has not been completed\nduring this semiannual reporting period, sec management provided the OiG with documentation to\nsupport their implementation of OiG recommendations. in response, the OiG closed 62 recommenda\xc2\xad\ntions related to 20 Office of audits and Office of investigations reports. the following table lists recom\xc2\xad\nmendations open 180 days or more.\n\n report number            rec.        issue\n and title                no.         date                   recommendation summary\n\n485 - assessment           8        9/29/2010     implement an agency-wide policy regarding shared\nof the sec\xe2\x80\x99s privacy                              folder structure and access rights, ensuring that only\nprogram                                           the employees involved with a particular case have\n                                                  access to that data. if an employee backs up additional\n                                                  information to the shared resources, only the employee\n                                                  and his or her supervisor should have access.\n489 - 2010 annual          5         3/3/2011     complete a logical access integration of the homeland\nfisma executive                                   security presidential directive 12 card no later than\nsummary report                                    december 2011, as reported to the Office of manage\xc2\xad\n                                                  ment and budget on december 31, 2010.\n492 - audit of sec\xe2\x80\x99s       7b        8/2/2011     develop and implement a mechanism to reward\nemployee recogni\xc2\xad                                 employees for superior or meritorious performance\ntion program and                                  within their job responsibilities through lump-sum per\xc2\xad\nrecruitment, relo\xc2\xad                                formance awards.\ncation, and reten\xc2\xad\ntion incentives\n497 - assessment           4        8/11/2011     ensure that security controls configurations that are\nof sec\xe2\x80\x99s continuous                               applied in the production environment are identical\nmonitoring program                                with those applied in the testing environment.\n497 - continued            5        8/11/2011     develop and implement written procedures to ensure\n                                                  consistency in the commission\xe2\x80\x99s production and testing\n                                                  environments. these procedures should detail the soft\xc2\xad\n                                                  ware and hardware components in both environments\n                                                  and specify the actions required to maintain consistent\n                                                  environments.\n501 - 2011 annual           1       2/2/2012      develop and implement a detailed plan to review and\nfisma executive                                   update Oit security policies and procedures and to cre\xc2\xad\nsummary report                                    ate Oit security policies and procedures for areas that\n                                                  lack formal policy and procedures.\n501 - continued            7        2/2/2012      tailor a baseline security controls set (with rationale) for\n                                                  applicable systems in accordance with the guidance in\n                                                  national institute of standards and technology (nist),\n                                                  Guide for Applying the Risk Management Framework\n                                                  to Federal Information Systems: A Security Life Cycle\n                                                  Approach, and nist, Recommended Security Controls\n                                                  for Federal Information Systems and Organizations.\n501 - continued            10       2/2/2012      conduct compliance scans of information technology\n                                                  (it) devices, according to the organizationally defined\n                                                  frequency in the policy and procedures, to ensure that\n                                                  all devices are configured as required by the Office of\n                                                  information technology\xe2\x80\x99s configuration management\n                                                  policy and procedures.\n\n\n20   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n\n report number          rec.     issue\n and title              no.      date                recommendation summary\n\n501 - continued         13     2/2/2012    complete the implementation of the technical solu\xc2\xad\n                                           tion for linking multi-factor authentication to personal\n                                           identity verification cards for system authentication and\n                                           require use of the cards as a second authentication\n                                           factor by december 2012.\n509 - sec\xe2\x80\x99s con\xc2\xad         3     3/25/2013   ensure a system or protocols are developed to identify\ntrols Over sensitive/                      and track all sensitive and nonpublic information pro\xc2\xad\nnonpublic informa\xc2\xad                         vided to, or received from, the financial stability Over\xc2\xad\ntion collected and                         sight council (fsOc), the Office of financial research,\nexchanged with the                         or fsOc\xe2\x80\x99s member agencies. this system should track\nfinancial stability                        information owner\xe2\x80\x99s name, date information is received/\nOversight council                          sent, who the information is sent to/received from, and\nand Office of                              media used (e.g., cds, thumb drives, etc.).\nfinancial research\n509 - continued          4     3/25/2013   ensure documented procedures are developed to\n                                           ensure that individuals who serve as information owners\n                                           for sensitive and nonpublic information provided to, or\n                                           received from, the financial stability Oversight coun\xc2\xad\n                                           cil (fsOc), the Office of financial research or fsOc\n                                           member agencies, properly mark the documents (or\n                                           files containing documents) according to the sensitivity\n                                           level.\n512 - 2012 fisma         1     3/29/2013   revise it security assessment procedures to ensure\nexecutive summary                          they are consistent with current practices and include\nreport                                     verbiage to implement continuous monitoring and\n                                           requirements for ongoing assessment of a subset of\n                                           critical security controls.\n512 - continued          2     3/29/2013   develop and implement a continuous monitoring strate\xc2\xad\n                                           gy in accordance with nist special publication 800-137,\n                                           Information Security Continuous Monitoring for Federal\n                                           Information Systems and Organizations and nist spe\xc2\xad\n                                           cial publication 800-37, revision 1, Guide for Applying\n                                           Risk Management Framework to Federal Information\n                                           Systems: A Security Life Cycle Approach.\n512 - continued          3     3/29/2013   continue to implement the existing project for the\n                                           development and implementation of a comprehensive\n                                           risk management strategy in accordance with nist\n                                           special publication 800-37, revision 1, Guide for Apply\xc2\xad\n                                           ing Risk Management Framework to Federal Informa\xc2\xad\n                                           tion Systems: A Security Life Cycle Approach, address\xc2\xad\n                                           ing risk at the organization level, the mission and\n                                           business process level and the information system level.\n\n\n\n\n                                               APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |   21\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n\n report number         rec.     issue\n and title             no.      date                 recommendation summary\n\n512 - continued         4     3/29/2013   ensure the Office of risk management coordinates with\n                                          the Office of information technology to provide train\xc2\xad\n                                          ing to management throughout the commission and\n                                          educate staff on their roles and responsibilities related to\n                                          operating in a three-tiered risk management framework.\n512 - continued         7     3/29/2013   review and update the existing it security awareness\n                                          training program to a) include specific role-based train\xc2\xad\n                                          ing based on the duties and responsibilities for staff\n                                          with information security roles; and b) track the prog\xc2\xad\n                                          ress and completion of it staff\xe2\x80\x99s role-based training.\n\n\n512 - continued         8     3/29/2013   review all plan of action and milestones (pOa&m) and\n                                          update the pOa&m tracking system to include future\n                                          remediation dates and ensure pOa&ms are closed or\n                                          mitigated to an acceptable level.\n514 - audit of the      4     3/29/2013   complete review of non-dormant registrant accounts\nsec\xe2\x80\x99s filing fees                         on the basis of the cost-benefit analysis the Office of\nprogram                                   financial management devised.\n515 - review of the     2     3/27/2013   determine whether the commission has certification\nsec\xe2\x80\x99s systems certi\xc2\xad                      and accreditation files that are stored on its contractor\xe2\x80\x99s\nfication and accred\xc2\xad                      off-site servers and, in the future, require contractor to\nitation process                           maintain all commission files on servers the commis\xc2\xad\n                                          sion owns and manages.\npi-09-05 \xe2\x80\x93 sec          1     2/22/2010   ensure, on a commission-wide basis, that all regional\naccess card                               offices are capable of capturing and recording building\nreaders in regional                       entry and exit information of commission employees.\nOffices\nrOi-551 \xe2\x80\x93 allega\xc2\xad       1     3/30/2011   employ technology that will enable the agency to\ntions of unauthor\xc2\xad                        maintain records of phone calls made from and\nized disclosures of                       received by sec telephones.\nnonpublic informa\xc2\xad\ntion during sec\ninvestigations\nim-13-101 \xe2\x80\x93 long-       1     3/25/2013   institute effective written policies and procedures to\ndistance telework                         ensure that bargaining unit and non-bargaining unit\nagreements                                employees who participate in full-time, long distance\n                                          telework are paid properly and in a consistent manner.\nim-13-101 \xe2\x80\x93             2     3/25/2013   review the telework arrangements for all employees\ncontinued                                 who participate in full-time, long-distance telework and\n                                          make changes as necessary to ensure that the official\n                                          duty station and locality pay are set appropriately and\n                                          consistently for those employees.\n\n\n\n\n22   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0ctable 4. summary of investigative activity\n\n  cases                                                                            number\n  cases Open as of 3/31/2013                                                         13\n  cases Opened during 4/1/2013 - 9/30/2013                                           12\n  cases closed during 4/1/2013 - 9/30/2013                                            8\n  total Open cases as of 9/30/2013                                                   17\n  referrals to department of Justice for prosecution                                  8\n  prosecutions                                                                        0\n  convictions                                                                         0\n  referrals to OiG Office of audits                                                   1\n  referrals to agency for administrative action                                       4\n\n  preliminary inquiries                                                            number\n  inquiries Open as of 3/31/2013                                                     26\n  inquiries Opened during 4/1/2013 - 9/30/2013                                       25\n  inquiries closed during 4/1/2013 - 9/30/2013                                       23\n  total Open inquiries as of 9/30/2013                                               28\n  referrals to OiG Office of audits                                                   2\n  referrals to agency for administrative action                                       1\n\n  disciplinary actions (including referrals made in prior periods)                 number\n  removals (including resignations and retirements)                                   2\n  suspensions                                                                        0\n  reprimands                                                                         0\n  warnings/Other actions                                                               1\n\n\n\ntable 5. summary of complaint activity\n\n  complaints received during the period                                            number\n  complaints pending disposition at beginning of period                               17\n  hotline complaints received                                                        183\n  Other complaints received                                                          122\n  total complaints received                                                         305\n  complaints on which a decision was made                                            317\n  complaints awaiting disposition at end of period                                     5\n\n  dispositions of complaints during the period                                     number\n  complaints resulting in investigations                                               8\n  complaints resulting in inquiries                                                   21\n  complaints referred to OiG Office of audits                                          2\n  complaints referred to Other agency components                                    146\n  complaints referred to Other agencies                                                3\n  complaints included in Ongoing investigations or inquiries                          17\n  response sent/additional information requested                                     64\n  no action needed                                                                   56\n\n\n\n\n                                                      APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013   |   23\n\x0ctable 6. references to reporting requirements of the inspector General act\n\n     section    inspector General act reporting requirement                                    pages\n     4(a)(2)    review of legislation and regulations                                              18\n     5(a)(1)    significant problems, abuses, and deficiencies                       6\xe2\x80\x938; 11\xe2\x80\x9313; 15\xe2\x80\x9317\n     5(a)(2)    recommendations for corrective action                                     11\xe2\x80\x9313; 16\xe2\x80\x9317\n     5(a)(3)    prior recommendations not yet implemented                                     20\xe2\x80\x9322\n     5(a)(4)    matters referred to prosecutive authorities                                 15\xe2\x80\x9317; 23\n     5(a)(5)    summary of instances where the agency\n                unreasonably refused or failed to provide information to the OiG                   18\n     5(a)(6)    list of OiG audit and evaluation reports issued during the period                  19\n     5(a)(7)    summary of significant reports issued during the period                   11\xe2\x80\x9313; 15\xe2\x80\x9317\n     5(a)(8)    statistical table on management decisions with\n                respect to questioned costs                                                        19\n     5(a)(9)    statistical table on management decisions on\n                recommendations that funds be put to better use                                    19\n     5(a)(10)   summary of each audit, inspection or evaluation report\n                Over six months Old for which no management decision has been made                 18\n     5(a)(11)   significant revised management decisions                                           18\n     5(a)(12)   significant management decisions with which the\n                inspector General disagreed                                                        18\n     5(a)(14)(b) date of the last peer review conducted by another OiG                             25\n\n     5(a)(16)   peer reviews conducted of another Office of inspector General                  25\xe2\x80\x9326\n\n\n\n\n24    |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                appendix a\n\n      peeR ReVieWS of oig opeRationS\n\npeer review Of the sec OiG\xe2\x80\x99s                            peer review Of the sec OiG\xe2\x80\x99s\naudit OperatiOns                                        investiGative OperatiOns\nIn accordance with CIGIE quality control and            During the semiannual reporting period, the SEC\nassurance standards, an OIG audit team assesses         OIG did not have an external peer review of its\nanother OIG\xe2\x80\x99s audit functions approximately every       investigative operations. Peer reviews of Designated\n3 years. The most recent external peer review of        Federal Entity OIGs, such as the SEC OIG, are\nthe SEC OIG\xe2\x80\x99s audit operations was conducted            conducted on a voluntary basis. The most recent\nlast year.                                              peer review of the SEC OIG\xe2\x80\x99s investigative opera\xc2\xad\n                                                        tions was conducted by the OIG of the U.S. Equal\nThe Legal Services Corporation (LSC) OIG con\xc2\xad           Employment Opportunity Commission (EEOC).\nducted an assessment of the Office of Audit\xe2\x80\x99s system    The EEOC OIG issued its report on the SEC OIG\xe2\x80\x99s\nof quality control for the period ending March 31,      investigative operations in July 2007. That report\n2012. The review focused on whether the SEC OIG         concluded that the SEC OIG\xe2\x80\x99s system of quality for\nestablished and complied with a system of quality       the investigative function conformed to the profes\xc2\xad\ncontrol that was suitably designed to provide the       sional standards established by the President\xe2\x80\x99s Coun\xc2\xad\nSEC OIG with a reasonable assurance of conform\xc2\xad         cil on Integrity and Efficiency and the Executive\ning with applicable professional standards.             Council on Integrity and Efficiency (now CIGIE).\n\nOn August 23, 2012, the LSC OIG issued its report,      A peer review of the investigative operations of the\nconcluding that the SEC OIG complied with its           SEC OIG is scheduled for FY 2014.\nsystem of quality control and that the system was\nsuitably designed to provide the SEC OIG with\nreasonable assurance of performing and reporting        peer review Of the library Of\nin conformity with applicable government auditing       cOnGress OiG\xe2\x80\x99s audit OperatiOns\nstandards in all material respects. On the basis of     In accordance with CIGIE quality control and assur\xc2\xad\nits review, the LSC OIG gave the SEC OIG a peer         ance standards, an OIG audit team assesses another\nreview rating of \xe2\x80\x9cpass.\xe2\x80\x9d (Federal audit organiza\xc2\xad       OIG\xe2\x80\x99s audit functions approximately every 3 years.\ntions can receive a rating of \xe2\x80\x9cpass,\xe2\x80\x9d \xe2\x80\x9cpass with        Toward that end, the SEC OIG assessed the Library\ndeficiencies,\xe2\x80\x9d or \xe2\x80\x9cfail.\xe2\x80\x9d) The LSC OIG did not          of Congress (LOC) OIG, Office of Audit\xe2\x80\x99s system of\nmake any recommendations. Further, there are no         quality control in effect for the year ended March\noutstanding recommendations from previous peer          31, 2013. The review focused on whether the LOC\nreviews of the SEC OIG\xe2\x80\x99s audit organization.            OIG had established and complied with a system\n                                                        of quality control that was designed to provide the\nThe peer review report is available on the SEC OIG      LOC OIG with reasonable assurance that its audits\nwebsite at http://www.sec-oig.gov/Reports/Other/        conform with applicable professional standards.\nFinalPeerReviewReport-SEC.pdf.\n\n\n\n\n                                                       APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |   25\n\x0cOn September 3, 2013, the SEC OIG issued a letter      review of the investigative operations of the OIG of\nreport to the LOC OIG concluding that the system       the Federal Election Commission (FEC). The review\nof quality control for the LOC OIG\xe2\x80\x99s audit organi\xc2\xad     covered the period of April 2011 through March\nzation in effect for the year ended March 31, 2013,    2013. The OIG conducted the peer review in accor\xc2\xad\nhad been suitably designed and complied with to        dance with the \xe2\x80\x9cQualitative Assessment Review\nprovide the LOC OIG with reasonable assurance          Guidelines for Investigative Operations of Federal\nof performing and reporting in conformity with         Offices of Inspector General, dated\napplicable professional standards in all material      December 2011.\xe2\x80\x9d\nrespects. On the basis of its review, the SEC OIG\ngave the LOC OIG a peer review rating of \xe2\x80\x9cpass.\xe2\x80\x9d       In conducting its review, the SEC OIG held an\nThe SEC OIG\xe2\x80\x99s report included 1) a finding that        entrance briefing, reviewed and analyzed the FEC\nthe SEC OIG did not consider significant enough to     OIG\xe2\x80\x99s investigations manual and other documents,\naffect the opinion expressed in its report; and 2) a   interviewed relevant staff members, and held an\nrecommendation related to that finding. The LOC        exit conference. The SEC OIG completed its peer\nOIG agreed with the SEC OIG\xe2\x80\x99s recommendation           review of the FEC OIG\xe2\x80\x99s investigative operations\nand has implemented it.                                in September 2013. On September 23, 2013, the\n                                                       SEC OIG issued a letter report concluding that, in\n                                                       its opinion, the internal safeguards and management\npeer review Of the federal                             procedures for the investigative functions of the\nelectiOn cOmmissiOn OiG\xe2\x80\x99s                              FEC OIG in effect for the period of its review were\ninvestiGative OperatiOns                               in compliance with the quality standards established\nDuring the semiannual reporting period, the SEC        by CIGIE.\nOIG\xe2\x80\x99s Office of Investigations conducted a peer\n\n\n\n\n26   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c                    appendix B\n\n           oig SeC emploYee SuggeStion\n\n             pRogRam annual RepoRt\n\nOverview                                                   summary Of emplOyee\nThe OIG established the OIG SEC Employee Sug\xc2\xad              suGGestiOns and alleGatiOns\ngestion Program in accordance with Section 966 of          Between October 1, 2012, and September 30, 2013,\nthe Dodd-Frank Wall Street Reform and Consumer             the OIG received and analyzed 27 suggestions or\nProtection Act (Dodd-Frank Act), which required            allegations. The tables on page 28 show the follow\xc2\xad\nthe Inspector General to establish a suggestion            ing details:\nprogram for employees of the SEC. The OIG estab\xc2\xad\nlished its Employee Suggestion Program on Septem\xc2\xad          (1) the nature, number, and potential benefits of\nber 27, 2010. As required by the Dodd-Frank Act,                suggestions received;\nthe SEC OIG has prepared this third annual report          (2) the nature, number, and seriousness of allega\xc2\xad\ncontaining a description of suggestions and allega\xc2\xad             tions received;\ntions received, recommendations made or action             (3)\t recommendations that the OIG made or actions\ntaken by the OIG, and action taken by the SEC                   it took in response to allegations that were\nin response to suggestions or allegations from                  substantiated; and\nOctober 1, 2012, through September 30, 2013.               (4) actions that the SEC took in response to sugges\xc2\xad\n                                                                tions or allegations.\nThrough the SEC OIG employee suggestion pro\xc2\xad\ngram, the OIG receives suggestions from agency             Note: Some suggestions or allegations fit into more\nemployees for improvements in the SEC\xe2\x80\x99s work               than one category, so the numbers in the charts\nefficiency, effectiveness, and productivity, and use of    below add up to more than the total number of\nits resources, as well as allegations by employees of      allegations or suggestions we received.\nwaste, abuse, misconduct, or mismanagement within\nthe SEC. To make it easier for employees to partici\xc2\xad\npate in the program, the OIG has set up an elec\xc2\xad\ntronic mailbox and telephone hotline that employees\ncan use to make their suggestions or allegations. The\nOIG has established formal policies and procedures\nthat encompass the receipt and handling of employee\nsuggestions and allegations under the program.\n\n\n\n\n                                                          APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013             |   27\n\x0c     nature and potential benefits of suggestion                                              number\n     increase efficiency or productivity                                                         5\n     increase effectiveness                                                                     6\n     increase the use of resources or decrease costs                                            9\n\n     nature and seriousness of allegation                                                     number\n     mismanagement and/or discrimination                                                        4\n     waste of sec resources                                                                     8\n     misconduct by an employee                                                                   1\n\n\n     action taken by the OiG in response to suggestion or allegation                          number\n     memorandum to or communication with the sec requesting action be taken                     11\n     referred to OiG Office of investigations                                                   0\n     referred to OiG Office of audits                                                            1\n     OiG Office of investigations opened preliminary inquiry                                    0\n     researched issue, but no further action by the sec was necessary                            8\n\n     action taken by sec management                                                           number\n     sec management took specific action to address the suggestion                              6\n     the sec decided to secure new technology in response to the suggestion                     0\n     sec management is considering the suggestion in context of existing procedures              2\n     sec management initiated an internal review                                                 2\n\n\n\nexamples Of suGGestiOns                                ability to provide automatic updates or alerts to\nand alleGatiOns                                        examiners. The OIG forwarded this suggestion to\n                                                       the Office of Information Technology, the Division\nupdating sec information systems                       of Enforcement, and the Division of Economic and\nThe OIG received a suggestion about updating           Risk Analysis for their consideration when explor\xc2\xad\ncertain SEC information systems\xe2\x80\x94the Division           ing system capabilities and future system upgrades.\nof Enforcement Name Relationship Search Index          The OIG expects management\xe2\x80\x99s response to this\n(NRSI) and the SEC Tips, Complaints, and Referrals     suggestion in November 2013.\n(TCR) system. The employee suggested modify\xc2\xad\ning the NRSI and the TCR system to automatically       information-sharing blog\nsearch for and send updated information about spe\xc2\xad     An employee suggested that the agency create an\ncific registrants that National Examination Program    \xe2\x80\x9cinternal SEC community blog\xe2\x80\x9d where SEC employ\xc2\xad\nexaminers are currently examining. Those automatic     ees could ask questions and also answer questions\nsearches would assist the examiners in ensuring that   that other SEC employees pose. The employee stated\nthey have the most current information available.      that such a blog would leverage staff knowledge.\n                                                       The OIG determined that certain offices within the\nOn the basis of the OIG\xe2\x80\x99s review of the suggestion,    SEC have created information sharing tools, and\nwe determined that there are currently procedures      a\tsimilar\tproject\tis\tin\tthe\tqueue\tfor\tcertain\tother\t\nin place to alert examination staff if a new TCR       offices, although an agencywide information sharing\nrelated to an open examination is received. How\xc2\xad       blog has not been established.\never, neither the TCR system nor NRSI has the\n\n\n\n\n28    |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cThe OIG forwarded this suggestion to the Office           online reporting process was not user friendly and\nof Information Technology SharePoint Commit\xc2\xad              was cumbersome.\ntee for consideration. The OIG received a response\nindicating that the Office of Public Affairs is work\xc2\xad     The OIG discussed this allegation with the OIT.\ning on assessing the feasibility of implementing this     The OIT informed us that the telephone replace\xc2\xad\nsuggestion and is looking at a variety of enterprise      ment process began after the SEC received notifica\xc2\xad\ncollaboration tools.                                      tion that the prior telephone models would no lon\xc2\xad\n                                                          ger be serviced. The OIT stated that it used a pilot\ncentralized database of                                   program to test the new telephone model before\nelectronic communications                                 it was selected as the agencywide standard model.\nAn employee suggested that the SEC create a cen\xc2\xad          The OIG also reviewed the OIT\xe2\x80\x99s online reporting\ntralized database of electronic communications (i.e.,     mechanism and noted that a listed email address did\nemails) that the Office of Compliance Inspections         not appear to be functional.\nand Examinations (OCIE) requests and receives\nduring examinations. Specifically, the employee sug\xc2\xad      Although the OIG determined that the telephones\ngested that the emails collected during examinations      were replaced because of an upcoming discontinu\xc2\xad\nbe archived into an accessible, centralized database      ation of service, the OIG forwarded the suggestion\nto allow examiners to perform keyword searches            to the OIT to consider (1) providing additional\nduring examinations to determine whether elec\xc2\xad            communication to employees about the telephone\ntronic communications from previous examinations          replacement process; (2) implementing policies and\ncontain the same issues or concerns, as well as any       procedures designed to enhance direct communi\xc2\xad\ntype of related information.                              cation with employees about future technology\n                                                          changes; and (3) whether additional methods for\nThe OIG determined that the creation and mainte\xc2\xad          employees to contact the OIT with comments or\nnance of a centralized database of emails could be        suggestions would be beneficial. The OIG expects\nbeneficial for data mining, as well as trend analysis     management\xe2\x80\x99s response to this suggestion in\nand risk assessment. During preliminary discus\xc2\xad           November 2013.\nsions about this suggestion, OCIE and the Office\nof General Counsel acknowledged the potential             allocation of laptops\nbenefits, but indicated the need to consider issues       The OIG received an allegation about the alloca\xc2\xad\nsuch as any legal and privacy ramifications of hous\xc2\xad      tion and acquisition of new laptops in OCIE. The\ning these emails in a centralized database. The OIG       employee stated that OCIE employees were offered\nexpects management\xe2\x80\x99s response to this suggestion in       a choice between two laptop models, but examin\xc2\xad\nOctober 2013.                                             ers\xe2\x80\x99 needs were not taken into account, and many\n                                                          employees did not receive the model they selected\ntelephone replacement and                                 and had to work with inferior computers.\nOnline reporting process\nThe OIG received an allegation about the SEC\xe2\x80\x99s            The OIG discussed this allegation with the OIT.\nreplacement of agency telephones. Specifically, the       The OIT indicated that various laptop models were\nemployee stated that the new telephones were an           tested and that the models offered and provided to\nunnecessary and wasteful expense and employees            examiners were selected on the basis of user feed\xc2\xad\ndid not receive adequate notification of this technol\xc2\xad    back. The OIT stated that it was unable to provide\nogy change. The employee also stated that the OIT\xe2\x80\x99s       every examiner with his or her first choice of model\n\n\n\n\n                                                         APRIL 1, 2013 \xe2\x80\x93 SEPTEMBER 30, 2013               |    29\n\x0cbecause of budget constraints and the large number      cOnclusiOn\nof requests for a particular model. The OIT further     The OIG continues to be pleased with the effective\xc2\xad\nstated that both models were designed to meet the       ness of the OIG SEC Employee Suggestion Program.\nneeds of examination staff. On the basis of the OIG\xe2\x80\x99s   We have received favorable responses from the\nreview, it appears that examiners\xe2\x80\x99 needs were taken     agency on several suggestions that we submitted for\ninto account in connection with the allocation and      its consideration. Many suggestions have resulted in\nacquisition of new laptops, and it does not appear      positive changes that will improve the efficiency and\nthat employees were asked to work with equipment        effectiveness of employees or conserve the agency\xe2\x80\x99s\nthat was not designed to meet their needs. Therefore,   resources. The OIG anticipates receiving favorable\nthe OIG determined that no further action was war\xc2\xad      responses to suggestions that the agency is currently\nranted in response to this allegation.                  reviewing and will continue to encourage employees\n                                                        to make suggestions through the program.\n\n\n\n\n30   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c         OiG cOntact infOrmatiOn\n\nHelp ensure the integrity of SEC operations. Report to the OIG\nsuspected fraud, waste, or abuse in SEC programs or operations as\nwell as SEC staff or contractor misconduct. Contact the OIG by:\n\nphone\t           Hotline          877.442.0854\n                 Main Office      202.551.6061\n\nweb-bASed        www.sec-oig.gov/ooi/hotline.html\nhoTlIne\n\n\nfAx \t            202.772.9265\n\nmAIl\t            Office of Inspector General\n                 U.S. Securities and Exchange Commission\n                 100 F Street, NE Washington, DC 20549\xe2\x80\x932977\n\nemAIl\t           oig@sec.gov\n\n\n\nInformation received is held in confidence upon request. While\nthe OIG encourages complainants to provide information on how\nthey may be contacted for additional information, anonymous\ncomplaints are also accepted.\n\x0cThis report is available on the\n\nInspector General\xe2\x80\x99s website\n\nwww.sec.gov/about/offices\n\n/inspector_general.shtml.\n\x0c'